Security Incidents mailing list archives
RE: New Virus / Trojan ?
From: "Byrne Ghavalas" <security () nscs uk com>
Date: Tue, 27 Jul 2004 08:58:48 +0100
Hi Vincent, I have seen a few of these as well, but, if I'm not mistaken, Norton is now detecting them as a MyDoom variant. Not sure if this is what you're seeing. FYI, you may find that the executable is packed using UPX. The versions of the virus that I saw were packed with UPX 1.24. After unpacking the executable, strings provides a lot more info and makes it much easier to identify the virus. HTH Byrne G |-----Original Message----- |From: Vincent Jaussaud [mailto:Vincent.Jaussaud () kelkoo net] |Sent: Monday, July 26, 2004 5:09 PM |To: incidents () securityfocus com |Subject: New Virus / Trojan ? | |Hi there; | |We just saw a malicious program coming into our network. | |As usual, it uses it's own SMTP engine to send itself. | |None of our anti-virus knows about it (NAV, ClamScan, File::Scan), and |since it's a zip file, it isn't blocked by our mail system. | |The zip file contains one file, named (without quotes): | |"britney.jpg\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ |\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ |\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ |\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ |\ \ \ \ \ \ \ \ \ \ \ \ .scr" | |The zip file is 33650 bytes; while the scr file is 32768 bytes. | |A strings dump of the scr file gives: | |VWhd0@ |T$dU |jyh^V$ |+ QR |`"a;l |E:HUP |VV4t |JRUND |LL32.EXE %s,_mainRD |DllRegisterS |CLSID\{ |2716A60E-3B39-11D8-81AB-455wy |35401} |7 mut1 |b\%c |c*.Se |&';7 |)ig?O |^{t1 |OZ<r |\son |r#E5 |47q<o |J#b| |?`(. |KwDr |\0}7( | qdk |0$"= |C%nWl |*tyrA |HCzi |th|A[ |dx71 |v&r| |%eL&k |^?$f |zVPt |{oix+ |a68p |+LGCr |t'pz |f/Z0 |]1Yj_p |09<' |-[L(,* |&pe6 |Rl N |S:#Z5 |LAD+X |^#n: |u[ .wV |1 -w |,:vi |@5}[ |6qz7kM |anhc{] |^~>^; |uTWb |w*ax |pQgd |u(@;; |w60G |k1:a |.'1vf |a+Y30 |#&Nv |tS8( |.86 |4-;;= |nB^~ |:q;q |F"1i |t-wB |7wq9 |QrBv |/m}+H |ow83` |I_dTp"~ |f|s] |&\,9 |+)2222('&%vK |>A+- |0k>j |6uRg_ |% 'p |ydpe |+YErY |'@g9E |rJn@ |&S%q |\raN |_F"7r |7kp(FF |D!\S |*f*~ |R,B?6O |=^$cO |KC*NA |{55` |^dSZ |.\XJ |s-eB7 |\j+ |on S |a=]| |<.Vk |1v/U/ |Ouzm{ |`oD6 |m[w+! |Zh?l |9a-CSq |2J18 |b_ if |yzk} |j=Jx |o,a- |Z*iga |Ulc@ |e7)N |B)=3 |+F8X' |\'Ix |faV7 |D.Gwsf |rO\N |4SgP |P`dS |KHFt |<e"lK |6,a@ |Xf3P |2t0> |w'|= |Xj=Q |-j-j |J/5R |b/3 |G4kN |d20.5Bl |7,.y |=6p |uV[,z |[)h@\ |Y+rc |V8B! |9xZ, |*[a( |]%# |(/,[ |vyyg |;'A( |\o[!= |Z3Q#' |p'U#')3G |_:U; |n=;' |zsC} |BhZ6 |=+D-( |-~n,y |Vwzr |&u5, |P&JC |]naW |h)j8 |h3DCaFV` |s,[# |7*GP |$!i# |ZP-W,^_ |m)\A | DXy |k}l1 |>4QC |'=4@ |7{P0 |o'pP3x |n[} |R-#- |!|Az |qBm6 |27|8 |8<b)ga |P(g" |:WWh/ |mx=0 |w0E$ |>;P2 | ;h> |M<)o |/KV` |^iHv |'a.F |36WZ |;7/+' |o ,u |N+xs |!5%S |tdY1 |E`lR+E |?&J[<%? |sokg |q]Ml |oa#[ |w&-h |8z,| |)6D$ |fjE0 |ZBGaG |vzN_ |(j'a;.[ |g/OKW(8 |IL@e |l.^;=' |0/Jta& |dq-m |+-,y |QCV:aD! |BBu=E5 |_s_A |%xqVo |lk'] |6l_7 |+Kl- |`[TOG |?7/& |S[go4M |#+3? |=k>S |\yd7k |<n!5 |#76R |;H3 |s)BG |Z63zt |P@T} |bws) |j3c( |^+ K_ |KGo5 |lYOg |{gOw |_w7l |7{/6CK[O |,;w'o |+,=/ |(?[4M |)+Gg |tC*+ |Gcug |VX`K |nU^aJ |fXX` | y_7_ |[}wO |_6Sp |CloseHandle; |/WriteFi |Crea |GetModul |Nam~ |WiAowsDi6ctory |LoadLibra |Free |0ProcAdd |Pntt |Tick |SCurP |MIxAm |werB |ofA PEL |B`.rd |X.&' |Osrc |wwwwwwwwwwpp |KERNEL32.DLL |ADVAPI32.dll |USER32.dll |LoadLibraryA |GetProcAddress |ExitProcess |RegCloseKey |wsprintfA | |If any of you already faced this one, please share any comments / idea |you may have. | |We'll try to submit this to Symantec Virus analysists. | |If you need further infos, please let me know. | |Thanks in advance ! |Best Regards, | |-- |################################################################# | Kelkoo Security Manager / Networks & Systems Architect | JID: portsentry () ims kelkoo net / GPG key 1024D/3BFE3FC7 2002-02-07 | Office: +(33)04 7629 7163 / Mobile: +(33)06 806 409 62 |################################################################# |"Those who desire to give up freedom in order to gain security will not |have, nor do they deserve, either one." | -- President Thomas Jefferson. 1743-1826 |
Current thread:
- New Virus / Trojan ? Vincent Jaussaud (Jul 26)
- Re: New Virus / Trojan ? Vincent Jaussaud (Jul 26)
- Re: New Virus / Trojan ? Frank Reppin (Jul 26)
- Re: New Virus / Trojan ? Vincent Jaussaud (Jul 27)
- Re[2]: New Virus / Trojan ? Rafael Núñez (Jul 27)
- RE: New Virus / Trojan ? Byrne Ghavalas (Jul 27)
- <Possible follow-ups>
- Re: New Virus / Trojan ? Travis Howe (Jul 26)
- Re: New Virus / Trojan ? Michael Mucha (Jul 27)